4.2 Investigative Methodology

4.2 Investigative Methodology

The investigative process, depicted as a sequence of ascending stairs in Figure 4.5, is structured to encourage a complete, rigorous investigation, ensure proper evidence handling, and reduce the chance of mistakes created by preconceived theories and other potential pitfalls. This process applies to criminal investigations as well as military and corporate inquiries dealing with policy violations or system compromise.

Figure 4.5: Categories of the Investigative Process Model (depicted as a flight of stairs).

The categories in Figure 4.5 are intended to be as generic as possible. The unique methods and tools employed in each category tie the investigative process to a particular forensic domain. The terms located on the riser of each step are those more closely associated with the law enforcement perspective. To the right of each term is a more general descriptor that may help to express the essence of each step of the process.

Investigators and examiners work together to scale these steps from bottom to top in a systematic, determined manner in an effort to present a compelling story after reaching the landing (persuasion/testimony). There they will pass their hard work on to prosecutors or other decision makers who scrutinize the findings and decide whether to continue or refocus resources to solving other matters. In the case of the courts, investigators will present their findings to the trier-of-fact who will decide if the merits of the evidence make a strong enough case to proceed to trial. In civilian and military operational communities, facts are presented to resource managers who will rely on the confidence and accuracy of the information before taking corrective action. Often, in this operational environment the mission or business objectives are of primary concern with possible prosecution left as a secondary consideration.

Two items of particular note and special importance stand out in our depiction. First, Case Management plays a vital role and spans across all the steps in the process model. It provides stability and enables investigators effectively to tie all relevant information together, allowing the story to be told clearly. In many cases the mechanisms used to structure, organize, and record pertinent details about all events and physical exhibits associated with a particular investigation is just as important as the information presented. Second, the term analysis is used rather loosely in many implementations of the investigative process. Our intent is to attach a more precise definition to this term so that it can be properly placed within the steps of our model. The analysis phase of the investigative process borrows heavily on the long-standing scientific method, beginning with fact gathering and validation, proceeding to hypothesis formation and testing, actively seeking evidence that disproves the hypothesis, and revising conclusions as new evidence emerges.

In general, this model affords investigators and examiners a logical flow of events that, taken together, seek to provide:

1. Acceptance - the steps and methods have earned professional consensus.

2. Reliability - the methods employed can be proven (trusted) to support findings.

3. Repeatability - the process can be applied by all, independent of time and place.

4. Integrity - the state of evidence is proven (trusted) to be unaltered.

5. Cause and effect - logical connection between suspected individuals, events, and exhibits.

6. Documentation - recordings essential for testimonial evidence (expert testimony).

All six tenets have a common purpose - to form the most persuasive argument possible based upon facts, not supposition, and to do so considering the legal criteria for admissibility.

As noted at the beginning of this chapter, although depicted as a linear progression of events in Figure 4.5, the stages in this process are often intertwined and those professionals who participate may find the need to revisit steps after it was thought to be complete. This "feedback" cannot be avoided nor should it be. It is often essential to make improvements and enhancements to methods and tools used in each step. Also, most steps are not only "digital forensic" in nature - many parts of the process function by applying and integrating methods and techniques in police science and criminalistics as aids. Finally, as with most processes, there is a relationship between successive steps. That relationship can often be described by the input and output expected at each stage, with products of one step feeding into the steps that follow.

With that said, let us take a closer look at each step along with details of the processing required in each and the associated inputs and outputs.

4.2.1 Accusation or Incident Alert

Every process has a starting point - a place, event, or for lack of a better term, a "shot from a starting gun" that signals the race has begun. This step can be signaled by an alarm from an intrusion detection system, a system administrator reviewing firewall logs, curious log entries on a server, or some combination of indicators from multiple security sensors installed on networks and hosts. This initial step can also be triggered by events in more traditional law enforcement settings. Citizens reporting possible criminal activity will lead to investigative personnel being dispatched to a physical scene. That scene will likely contain exhibits of which some may be electronic, requiring part of the investigation to take a digital path. The prevalence of computers makes it increasingly likely that even traditional crimes will have related information derived from digital sources that require close scrutiny.

When presented with an accusation or automated incident alert, it is necessary to consider the source and reliability of the information. An individual making a harassment complaint because of repeated offensive messages appearing on her screen might actually be dealing with a computer worm/virus. An intrusion detection system alert may only indicate an attempted, unsuccessful intrusion or might be a false alarm. Therefore, it is necessary to weigh the strengths, weakness, and other known nuances related to the sources and include human factors as well as digital.

In addition, thoroughly to assessing an accusation or alert, some initial fact gathering is usually necessary before launching a full-blown investigation. Even technically proficient individuals sometimes misidentify normal system activity as a computer intrusion. Initial interviews and fact checking can correct such misunderstandings, clarify what happened, and help develop an appropriate response. To perform this fact gathering and initial assessment, it is usually necessary to enter a crime scene and scan or very carefully sift through a variety of data sources looking for items that may contain relevant information.

This is a very delicate stage in an investigation because every action in the crime scene may alter evidence. Additionally, delving into an investigation prematurely, without proper authorization or protocols, can undermine the entire process. Therefore, an effort should be made to perform only the minimum actions necessary to determine if further investigation is warranted. Although an individual investigator's experience or expertise may assist in forming internal conclusions that may have associated confidence levels, at this stage few firm, evidence-based conclusions are being drawn about whether a crime or an offence was actually committed.

4.2.2 Assessment of Worth

Those involved in investigative activities are usually busy with multiple cases or have competing duties that require their attention. Given that investigative resources are limited, they must be applied where they are needed most. How this step in the process is handled varies with the associated investigative environment. Applied in law enforcement environments, all suspected criminal activity must be investigated. In civil, business, and military operations, suspicious activity will be investigated but policy and continuity of operations often replaces legalities as the primary concern. Regardless of environment, a form of triage is performed at this step in the process. Questions are asked that try to focus vital resources on the most severe problems or where they are most effective.

Factors that contribute to the severity of a problem include threats of physical injury, potential for significant losses, and risk of wider system compromise or disruption. If a problem can be contained quickly, if there is little or no damage, and if there are no exacerbating factors, a full investigation may not be warranted. The output of this step in the investigative process is a decision that will fit into two basic categories.

• No further action is required - suspicion proved unwarranted. Available data and information are sufficient to indicate no wrongdoing. Document decision with detailed justification, report, and reassign resources.

• Continue to apply investigative resources based upon the merits of evidence examined to this point with priority based on initial available information. All incidents or accusations deserve detailed initial investigation. This category aims to inform about discernment based on practical as well as legal precedent coupled with the informed experience of the investigative team.

Expertise from a combination of on-the-job and certified training plays a tremendous role in effective triage.

4.2.3 Incident/Crime Scene Protocols

When a full investigation is warranted the first challenge is to retain and document the state and integrity of items (digital or otherwise) at the crime scene. Protocols, practices, and procedures are employed at this critical juncture to minimize the chance of errors, oversights, or injuries. Whoever is responsible for securing a crime scene, whether first responders or digital evidence examiners, should be trained to follow accepted protocols. These protocols should address issues such as health and safety (limiting exposure to hazardous materials such as chemicals in drug labs or potentially infectious body fluids), what other authorities are informed, and what must be done to secure the scene.

Preventing people from disturbing a single computer or room is relatively straightforward but, when networks are involved, a crime scene may include sources of evidence in several physically distant locations. Assuming investigators can determine where these locations are, they may not be able to reach them to isolate and preserve associated evidence. This raises the issues of evidence collection on a network, which are discussed in Part 3 of this book.

The product or output of this stage is a secure scene where all the contents are mapped and recorded, with accompanying photographs and basic diagrams to document important areas and items. The evidence is, in essence, frozen in place. This pristine environment is the foundation for all successive steps and provides the "ground truth" for all activities to follow. Items discovered in this initial phase remain an ever present and unchanging part of the case ahead. Steps that follow will serve to add items as well as the attributes of detail, connection, and validation so vital in building event reconstruction, timelines, and motive.

Importantly, the information gathered during this step regarding the state of a crime scene is at the highest level. This means that potential elements of a crime or incident are usually being scrutinized at the macro level. For the most part, investigators are observing "surface details" of potential evidence that may be indicative but are rarely conclusive.

4.2.4 Identification or Seizure

Once the scene is secured, potential evidence of an alleged crime or incident must be seized. Clear procedures and understanding of necessary legal criteria are essential before activity can proceed successfully. The goal here for trained and experienced investigators is not to seize everything at a scene (physical or virtual) but to make informed, reasoned decisions about just what to seize and be prepared to document and justify the action.

Documentation permeates all steps of the investigative process but is particularly important in the digital evidence seizure step. It is necessary to record details about each piece of seized evidence to help establish its authenticity and initiate chain of custody. For instance, numbering items, photographing them from various angles, recording serial numbers, and documenting who handled the evidence helps keep track of where each piece of evidence came from and where it went after collection. Standard forms and procedures help in maintaining this documentation, and experienced investigators and examiners keep detailed notes to help them recall important details. Any notebook that is used for this purpose should be solidly bound and have page numbers that will indicate if a page has been removed.

In a traditional investigative context, seizure implies "to confiscate" or "to take possession of" material, physical items for detailed scrutiny of the items' state and character at some later time in a controlled facility by proven, prescribed means. In the digital realm, unlike most of the traditional forensic disciplines, the seizure of material items occur but all or part of the state and character of some material evidence may be lost almost immediately upon seizure by virtue of the volatility of electronic devices and their design. Many modern computers have large amounts of Random Access Memory (RAM) where process context information, network state information, and much more are maintained. Once a system is powered down the immediate contents of that memory is lost and can never be completely recovered. So, when dealing with a crime or incidents involving digital evidence, it may be necessary to perform operations on a system that contains evidence, especially in network connected environments.

The output of this phase follows clearly from the triage stage. Inventories, not only of physical electronic components but also attributes of those components that indicate possible networking between local and remote devices and other locations should be cataloged. This recognition is vital because it will allow investigators the opportunity to capture important state and character information before power down and seizure are accomplished. Therefore, even if the investigation warrants the seizure of electronic components, methods and techniques that allow "confiscation" of certain volatile system and network information, even in part, should be considered.

At this step, properly trained first responders might be instructed to find and physically seize evidence for later processing by a digital evidence examiner. Two useful documents outlining effective practices for seizing digital evidence are mentioned here briefly and details of this process are presented in later chapters. This information can be adapted to conform to an organization's policies and should be used to create memory aids for investigators and examiners such as procedures, checklists, and forms.

The Good Practices Guide for Computer Based Electronic Evidence, published by the Association of Chief Police Officers in the United Kingdom (NHCTU 2003), provides a starting point for the discussion of the initial step of digital evidence handling. This guide is designed to cover the most common types of computers: electronic organizers and IBM compatible laptops or desktops with a modem. In addition to practical advice, this guide provides the following four overarching principles that are useful for anyone handling digital evidence.

Principle 1: No action taken by the police or their agents should change data held on a computer or other media that may subsequently be relied upon in court.

Principle 2: In exceptional circumstances where a person finds it necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and the implications of their actions.

Principle 3: An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4: The officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of and access to information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of a copying device, complies with these laws and principles.

The US Department of Justice created a useful guide called Electronic Crime Scene Investigation: A Guide for First Responders (USDOJ 2001). This guide discusses various sources of digital evidence, providing photographs to help first responders recognize them, and describes how they should be handled. These documents are useful for developing a standard operating procedure (SOP) that covers simple investigations involving a few computers. An SOP is necessary to avoid mistakes, ensure that the best available methods are used, and increase the probability that two forensic examiners will reach the same conclusions when they examine the evidence.

Keep in mind that digital evidence comes in many forms including audit trails, application logs, badge reader logs, biometrics data, application metadata, Internet service provider logs, intrusion detection system reports, firewall logs, network traffic, and database contents and transaction records (i.e. Oracle NET8 or 9 logs). Given this variety, identifying and seizing all of the available digital evidence are challenging tasks. More technically involved procedures are required to deal with large servers or evidence spread over a network. Also, situations will arise that are not covered by any procedure. This is why it is important to develop a solid understanding of forensic science and to learn to apply general principles creatively. Initial interviews should be performed to determine who is involved, what people know, what is not known, and what other information needs to be gathered.

4.2.5 Preservation

Working from the known inventory of confiscated or seized components investigators must act to make sure that potentially volatile items remain unchanged. Another way to put it is that proper actions must be taken to ensure the integrity of potential evidence, physical and digital. The methods and tools employed to ensure integrity are key here. Their accuracy and reliability as well as professional acceptance may be subject to question by opposing council if the case is prosecuted. These same criteria will give decision makers outside of court the necessary confidence to proceed on recommendations from their investigators.

To many practitioners in our field this is where digital forensics begins. It is generally the first stage in the process that employees commonly used tools of a particular type. The output of this stage is usually a set of duplicate copies of all sources of digital data. This output provides investigators with two categories of exhibits. First, the original material is cataloged and stored in a proper environmentally controlled location, in an unmodified state. Second, an exact copy of the original material that will be scrutinized as the investigation continues.

4.2.6 Recovery

Prior to performing a full analysis of preserved sources of digital evidence, it is necessary to extract data that have been deleted, hidden, camouflaged, or that are otherwise unavailable for viewing using the native operating system and resident file system. In some instances, it may also be necessary to reconstitute data fragments to recover an item. Whenever feasible, this process is performed on copies of original digital evidence from the preservation step - this may not be possible in the case of embedded systems.

At this step in the process the focus is on the recovery of all unavailable data whether or not they may be germane to the case or incident. The objective is to identify, and if possible make visible, all data that can be recognized as belonging to a particular data type. The output provides the maximum available content for the investigators and enables them to move to the next phase of the process. It provides the most complete data timeline and may provide insight into the motives of an offender if concrete proof of purposeful obfuscation is found and recorded.

4.2.7 Harvesting

By the start of this phase all the potential digital evidence associated with a case or incident is available for investigation. Activities designed to gather data and metadata (data about data) about all objects of interest may now proceed. This stage in the process is where the actual reasoned scrutiny begins, where concrete facts begin to take shape that support or falsify hypotheses built by the investigative team. Working from the preserved, recovered source material the investigation proceeds to gather descriptive material about the contents. This gathering will typically proceed with little or no discretion related to the data content, its context, or interpretation. Rather, the investigator will look for categories of data that can be harvested for later analysis - groupings of data with certain class characteristics that, from experience or training, seem or are known to be related to the major facts of the case or incident known to this point in the investigation.

For example, an accusation related to child pornography requires visual digital evidence most likely rendered in a standard computer graphics format like GIF or JPEG. Therefore, the investigators would likely be looking for the existence of files exhibiting characteristics from these graphic formats. That would include surface observables like the objects file type (expressed as a three-character alphanumeric designator in MS Windows based file systems) or more accurately a header and trailer unique to a specific graphical format. In the case of incidents related to hacking investigators might focus some attention on the collection of files or objects associated with particular rootkits or sets of executables, scripts, and interpreted code that are known to aid crackers in successfully compromising systems as discussed in Chapter 19.

A familiarity with the technologies and tools used, coupled with an understanding of the underlying mechanisms and technical principles involved are of more importance in this step. The general output expected here are large organized sets of digital data that have the potential for evidence. It is the first layer organizational structure that the investigators and examiners will start to decompose in steps that follow.

4.2.8 Reduction

This step involves activities that help eliminate or target specific items in the collected data as potentially germane to an investigation. This process is analogous to separating the wheat from the chaff. The decision to eliminate or retain is made based on external data attributes such as hashing or checksums, type of data (after type is verified), etc. In addition, material facts associated with the case or incidents are also brought to bear to help eliminate data as potential evidence. This phase remains focused primarily on the overall structure of the object and very likely does not consider content or context apart from examination of fixed formatted internal data related to standards (like headers and trailers). The result (output) of the work in this stage of the investigative process is the smallest set of digital information that has the highest potential for containing data of probative value. This is the answer to the question: "Where's the beef?" The criteria used to eliminate certain data are very important and might possibly be questioned by judge, jury, or any other authorized decision maker.

4.2.9 Organization and Search

To facilitate a thorough analysis, it is advisable to organize the reduced set of material from the previous step, grouping, tagging, or otherwise placing them into meaningful units. At this stage it may be advantageous to actually group certain files physically to accelerate the analysis stage. They may be placed in groups using folders or separate media storage or in some instances a database system may be employed to simply point to the cataloged file system objects for easy, accurate reference without having to use rudimentary search capability offered by most host operating systems.

The primary purpose of this activity is to make it easier for the investigator to find and identify data during the analysis step and allow them to reference these data in a meaningful way in final reports and testimony. This activity may incorporate different levels of search technology to assist investigators in locating potential evidence. A searchable index of the data can be created to enable efficient review of the materials to help identify relevant, irrelevant, and privileged material. Any tools or technology used in this regard should be understood fully and the operation should follow as many accepted standards as exist. The results of this stage are data organization attributes that enable repeatability and accuracy of analysis activities to follow.

4.2.10 Analysis

This step involves the detailed scrutiny of data identified by the preceding activities. The techniques employed here will tend to involve review and study of specific, internal attributes of the data such as text and narrative meaning of readable data, or the specific format of binary audio and video data items. Additionally, class and individual characteristics found in this step are used to establish links, determine the source of items, and ultimately locate the offender. Generally, analysis includes these subcategories (including but not limited to):

• Assessment (content and context) — Human readable (or viewable) digital data objects have content or substance that can be perceived. That substance will be scrutinized to try to determine factors such as means, motivation, opportunity.

• Experimentation — A very general term but applied here to mean that unorthodox or previously untried methods and techniques might be called for during investigations. All proven methodologies began as experiments so this should come as no surprise especially when applying the scientific method. What remains crucial is that all experimentation be documented rigorously so that the community, as well as the courts, have the opportunity to test it. Eventually, experimentation leads to falsification or general acceptance.

• Fusion and correlation — These terms are subtly distinct. During the course of the investigation, data (information) have been collected from many sources (digital and non-digital). The likelihood is that digital evidence alone will not tell the full tale. The converse is also true. The data must be fused or brought together to populate structures needed to tell the full story. An example of Fusion would be the event timeline associated with a particular case or incident. Each crime or incident has a chronological component where event or actions fill time slices. This typically answers the questions where, when, and sometimes how? Time slices representing all activities will likely be fused from a variety of sources such as digital data, telephone company records, e-mail transcripts, suspect and witness statements. Correlation is related but has more to do with reasoned cause and effect. Do the data relate? Not only does event B follow event A chronologically, but the substance (e.g. narrative, persons, or background in a digital image) of the events shows with high probability (sometimes intuition) that they are related contextually.

• Validation — This is the output or result of the Analysis stage. It is the reasoned findings that investigators propose to submit to jurists or other decision makers as "proof positive" for prosecution or acquittal.

A failure objectively to assess digital evidence and to utilize experimentation, fusion, and correlation to validate it can lead to false conclusions and personal liability as demonstrated in the following examples.

CASE EXAMPLE (LISER v. SMITH 2003):

Investigators thought they have found the killer of a 54-year-old hotel waitress Vidalina Semino Door when they obtained a photograph of Jason Liser from an ATM where the victim's bank card had been used. Despite the bank manager's warning that there could be a discrepancy between the time indicated on the tape and the actual time, Liser's photograph was publicized and he was subsequently arrested but denied any involvement in the murder. A bank statement confirmed that Liser had been at the ATM earlier that night but that he had used his girlfriend's card, not the murder victim's. Investigators made an experimental withdrawal from the ATM and found that the time was significantly inaccurate and that Liser had used the ATM before the murder took place. Eventually, information relating to the use of the victim's credit card several days after her death implicated two other men who were convicted for the murder. Liser sued the District of Columbia and Jeffrey Smith, the detective responsible for the mistaken arrest, for false arrest and imprisonment, libel and slander, negligence, and providing false information to support the arrest. The court dismissed all counts except the negligence charge. The court felt that Smith should have made a greater effort to determine how the bank surveillance cameras operated or consulted with someone experienced with this type of evidence noting, "The fact that the police finally sought to verify the information - and quickly and readily learned that it was inaccurate - after Liser's arrest certainly does not help their cause". Liser's lawsuit against Bank of America for negligence and infliction of emotional distress due to the inaccuracy in the timing mechanism was dismissed.

4.2.11 Reporting

To provide a transparent view of the investigative process, final reports should contain important details from each step, including reference to protocols followed and methods used to seize, document, collect, preserve, recover, reconstruct, organize, and search key evidence. The majority of the report generally deals with the analysis leading to each conclusion and descriptions of the supporting evidence. No conclusion should be written without a thorough description of the supporting evidence and analysis. Also, a report can exhibit the investigator or examiner's objectivity by describing any alternative theories that were eliminated because they were contradicted or unsupported by evidence.

4.2.12 Persuasion and Testimony

In some cases, it is necessary to present the findings outlined in a report and address related questions before decision makers can reach a conclusion. A significant amount of effort is required to prepare for questioning and to convey technical issues in a clear manner. Therefore, this step in the process includes techniques and methods used to help the analyst and/or domain expert translate technological and engineering detail into understandable narrative for discussion with decision makers.